Cisco Talos has exposed the inner workings of ARToken, a professionally built phishing-as-a-service platform that gives even low-skill criminals a point-and-click way to break into Microsoft 365 accounts. Rather than stealing passwords, ARToken steals the sign-in tokens Microsoft issues after login, which lets attackers slip past multi-factor authentication and hold onto access long after a victim resets their credentials. It is the latest and most capable branch of the EvilTokens ecosystem that researchers first documented earlier in 2026.
Token theft, not password theft
ARToken abuses Microsoft's OAuth 2.0 device code flow, a legitimate feature meant for signing in devices like smart TVs that lack a keyboard. The lure tricks a target into approving a device on the attacker's behalf, handing over an access token and, crucially, a Primary Refresh Token. Because that token is what Windows uses to keep a user signed in across apps, capturing it lets the operator refresh access indefinitely. Talos notes the persistence chain survives across password changes, so the usual advice to reset a password does not evict the intruder on its own.
A full back office for account takeover
The panel exposes more than 80 programming endpoints through a polished web dashboard. Operators can read a victim's inbox, send mail as them with hidden copies, plant forwarding rules to quietly siphon future messages, and watch mailboxes for keywords like "invoice" or "payment." A built-in module browses and downloads files from the victim's SharePoint and OneDrive. Tokens can be exported, backed up, and even shared between operators, and the system drops the victim's own city and country into lures to make them more convincing. In one case Talos traced, the operators spoofed an accounts-payable contact at a US contractor to hit a payments handler at a life-sciences firm with a fake invoice, a classic business email compromise play.
Built to dodge researchers
ARToken wraps its phishing pages in a seven-layer anti-analysis system that checks for automated browsers, watches for realistic mouse movement, and enforces timing gates before serving the malicious content, so security scanners and sandboxes tend to see a harmless page. Payloads are scrambled with XOR encryption at runtime. Together these make the operation hard to detect and study.
What defenders should do
Token-stealing attacks blunt basic multi-factor authentication, so the fixes differ from ordinary phishing. Organizations should treat any unexpected device-code approval prompt as hostile, use conditional access policies that bind sign-ins to managed or compliant devices, and, after a suspected compromise, revoke active sessions and refresh tokens rather than only resetting the password. This is the same token-theft playbook behind the earlier EvilTokens phishing kit and nation-state device code phishing campaigns, now packaged as an off-the-shelf crime service. The full technical breakdown is in Cisco Talos's report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.